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Application/Control Number: 09/966,227 Page 
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1 This action is in response to the communication filed on 10/24/2005. 

2 DETAILED ACTION 

3 Continued Examination Under 3 7 CFR 1.114 

4 A request for continued examination under 37 CFR 1.114, including the fee set forth in 

5 37 CFR 1 .17(e), was filed in this application after final rejection. Since this application is 

6 eligible for continued examination under 37 CFR 1.1 14, and the fee set forth in 37 CFR 1.17(e) 

7 has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 

8 37 CFR 1.114. Applicant's submission filed on 6/20/2005 has been entered. 

9 Response to Arguments 

10 Applicant's arguments with respect to claim 5-7, 10-12, and 19-30 have been considered 

1 1 but are moot in view of the new ground(s) of rejection. 

12 Claims 5-7, 10-12, and 19-30 have been examined, while claims . 

13 All objections and rejections not set forth below have been withdrawn. 

1 4 Claim Rejections - 35 USC §112 

15 The following is a quotation of the second paragraph of 35 U.S.C. 112: 

1 6 The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the 

1 7 subject matter which the applicant regards as his invention. 

18 

19 Claims 5-7, 10-12, and 19-30 are rejected under 35 U.S.C. 1 12, second paragraph, as 

20 being indefinite for failing to particularly point out and distinctly claim the subject matter which 

21 applicant regards as the invention. 

22 Claims 5 and 10 recite the hmitation "said denial of service attack" in line 4. There is 

23 insufficient antecedent basis for this limitation in the claim. The examiner will assume the 

24 limitation was meant to refer to the "denial of service intrusion". 
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1 Claims 19 and 25 recite the limitation "the protect device" in line 4. There is insufficient 

2 antecedent basis for this limitation in the claim. The examiner will assume the Umitation was 

3 meant to refer to the "protected device". 

4 Claims 6-7, 11-12, and 19-30 are rejected by virtue of their dependency to claims 5 and 

5 10. 

6 Claim Rejections - 35 JJSC §103 

1 The following is a quotation of 35 U.S. C. 103(a) which forms the basis for all 

8 obviousness rejections set forth in this Office action: 

9 A patent may not he obtained though the invention is not identically disclosed or 

10 described as set forth in section 102 of this title, if the differences between the subject matter 

1 1 sought to be patented and the prior art are such that the subject matter as a whole would have 

1 2 been obvious at the time the invention was made to a person having ordinary skill in the art to 

1 3 which said subject matter pertains. Patentability shall not be negatived by the manner in which 

14 the invention was made, 
15 

16 Claims 5, 10, and 19-30 are rejected under 35 U.S.C. 103(a) as being unpatentable over 

17 Vaidya (US Patent Number 6,279,1 13), and further in view of Sharma et al. (US Patent Number 

18 6,909,692) hereinafter referred to as Sharma 

19 Regarding claim 5, Vaidya disclosed a method of operating an intrusion detection system, 

20 comprising the steps of monitoring, by the intrusion detection system, for occurrence of a 

21 signature event that is indicative of a DOS intrusion on a protected device, said DOS attack 

22 attempting to impede operation of the protected device (See Vaidya Abstract and Col. 12 

23 Paragraphs 2-3); when a signature event occurs, increasing a value of a signature event counter 

24 and comparing the value of the signature event counter with a signature threshold quantity (See 

25 Vaidya Col. 12 Lines 26-36); when the value of the signature event counter exceeds the signature 
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1 threshold quantity, generating an alert by the intrusion detection sensor of the intrusion detection 

2 system (See Vaidya Col. 12 Lines 36-41, Col. 1 1 Lines 5-8, and Col. 6 Lines 20-26); but Vaidya 

3 failed to disclose recording a time for generating the alert in a log of a governor comprised by the 

4 intrusion detection sensor, determining from the contents of the log a present alert generation 

5 rate, and comparing the present alert generation rate with an alert generation rate threshold; or 

6 when the present alert generation rate exceeds the alert generation rate threshold, altering an 

7 element of a signature set of the intrusion detection system to decrease an alert generation rate of 

8 the intrusion detection system. 

9 Sharma teaches that generating too many alerts in a network management system can 

10 crash the system (See Sharma Col. 3 Paragraph 3) and further teaches that in order to control the 

1 1 alert generation rate, each alert should be logged including a time of the alert (See Sharma Col. 8 

12 Line 61 - Col. 9 Line 15), an alert generation rate should be determined using the log (See 

13 Sharma Col. 9 Lines 16-25), the determined rate should be compared with a threshold (See 

14 Sharma Col. 9 Lines 25-27), and when the rate is too high, altering the management system to 

15 decrease an alert generation rate of the system (See Sharma Col. 9 Line 28 - Col. 10 Line 15 and 

16 Col. 7 Lines 1-23). 

17 It would have been obvious to the ordinary person skilled in the art at the time of 

18 invention to employ the teachings of Sharma in the IDS system of Vaidya by the reaction module 

19 logging the alerts, determining the alert generation rate, comparing the rate to the threshold rate, 

20 and if greater than the threshold altering the attack signature profile to indicate a new threshold 

21 for event rate in order to begin transmitting alerts again. This would have been obvious because 

22 the ordinary person skilled in the art would have been motivated to protect the system 



Application/Control Number: 09/966,227 Page 5 

Art Unit: 2131 

1 administrator from being over informed as well as protecting the management system from 

2 crashing. 

3 Regarding claim 10, Vaidya disclosed programmable media containing programmable 

4 software for operation of an intrusion detection system, programmable software comprising the 

5 steps of monitoring, by the intrusion detection system, for occurrence of a signature event that is 

6 indicative of a DOS intrusion on a protected device, said DOS attack attempting to impede 

7 operation of the protected device (See Vaidya Abstract and Col. 12 Paragraphs 2-3); when a 

8 signature event occurs, increasing a value of a signature event counter and comparing the value 

9 of the signature event counter with a signature threshold quantity (See Vaidya Col. 12 Lines 26- 

10 36); when the value of the signature event counter exceeds the signature threshold quantity, 

1 1 generating an alert by the intrusion detection sensor of the intrusion detection system (See 

12 Vaidya Col. 12 Lines 36-41, Col. 1 1 Lines 5-8, and Col. 6 Lines 20-26); but Vaidya failed to 

13 disclose recording a time for generating the alert in a log of a governor comprised by the 

14 intrusion detection sensor, determining from the contents of the log a present alert generation 

15 rate, and comparing the present alert generation rate with an alert generation rate threshold; or 

16 when the present alert generation rate exceeds the alert generation rate threshold, altering an 

17 element of a signature set of the intrusion detection system to decrease an alert generation rate of 

1 8 the intrusion detection system. 

19 Sharma teaches that generating too many alerts in a network management system can 

20 crash the system (See Sharma Col 3 Paragraph 3) and further teaches that in order to control the 

21 alert generation rate, each alert should be logged including a time of the alert (See Sharma Col. 8 

22 Line 61 - Col. 9 Line 15), an alert generation rate should be determined using the log (See 
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1 Sharma Col. 9 Lines 16-25), the determined rate should be compared with a threshold (See 

2 Sharma Col. 9 Lines 25-27), and when the rate is too high, altering the management system to 

3 decrease an alert generation rate of the system (See Sharma Col. 9 Line 28 - Col. 10 Line 15 and 

4 Col. 7 Lines 1-23). 

5 It would have been obvious to the ordinary person skilled in the art at the time of 

6 invention to employ the teachings of Sharma in the IDS system of Vaidya by the reaction module 

7 logging the alerts, determining the alert generation rate, comparing the rate to the threshold rate, 

8 and if greater than the threshold altering the attack signature profile to indicate a new threshold 

9 for event rate in order to begin transmitting alerts again. This would have been obvious because 

10 the ordinary person skilled in the art would have been motivated to protect the system 

1 1 administrator from being over informed as well as protecting the management system from 

12 crashing. 

13 Regarding claims 19 and 25, Vaidya and Sharma disclosed alerting an administrator of 

14 suspected DOS intrusions upon the protected device (See Vaidya Col. 6 Lines 20-26). 

15 Regarding claims 20 and 26, Vaidya and Sharma disclosed that the alert generation rate 

16 threshold is comprised by the governor (See Sharma Col. 9 Lines 16-26). 

17 Regarding claims 21 and 27, Vaidya and Sharma disclosed that the signature set 

18 comprises a unique signature set identifier (See Vaidya Col. 10 Lines 25-45 "Pattern"), the 

19 signature event (See Vaidya Col. 10 Lines 25-45 "Attack Signature"), the signature event 

20 counter (See Vaidya Col. 12 Paragraph 3 "counter"), the signature threshold quantity (See 

21 Vaidya Col. 12 Paragraph 3 "threshold"), and a signature threshold interval that specifies a 

22 sliding time window (See Vaidya CoL 12 Paragraph 3 "predetermined time interval". 
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1 Regarding claims 22 and 28, Vaidya and Sharma disclosed that the protected device is 

2 selected from the group consisting of a computer, a web server, and a workstation (See Vaidya 

3 Col. 10 Lines 54-57). 

4 Regarding claims 23 and 29, Vaidya and Sharma disclosed entering into the log a list of 

5 timestamps that record the times at which the intrusion detection sensor generates alerts, wherein 

6 said determining from contents of the log a present alert generation rate utilizes the timestamps 

7 in the log (See Sharma Col. 9 Paragraph 2). 

8 Regarding claims 24 and 30, Vaidya and Sharma disclosed that after generating the alert 

9 and before determining from contents of the log the present alert generation rate, the method 

10 further comprises the step of clearing the log of any entries that are past a specific age (See 

1 1 Sharma Col. 9 Paragraph 2 and Vaidya Col. 12 Paragraph 2 wherein Vaidya disclosed purging 

12 the expired entries of a log prior to determining the generation rate associated with the log). 

13 Claims 6, and 1 1 are rejected under 35 U.S.C. 103(a) as being unpatentable over the 

14 combination of Vaidya and Sharma as applied to claims 5, and 10 above respectively, and further 

15 in view of Lunt (Detecting Intruders in Computer Systems). 

16 Vaidya and Sharma disclosed altering the signature set in order to reduce the frequency 

17 of alert generation by halting the alert generation (See the rejection of claim 5 above), but failed 

18 to disclose altering the threshold quantity in order to do so. 

19 Lunt teaches that alarms do not always pertain to individual events, and because they can 

20 come very quickly, after the first alarm is generated, subsequent alarms should be suppressed 

21 until a second threshold, greater than the first, is reached (See Lunt Page 14 Lines 11-17). 
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1 It would have been obvious to the ordinary person skilled in the art at the time of 

2 invention to employ the teachings of Lunt in the alert generation system of Vaidya and Sharma, 

3 by suppressing alerts after the first threshold was reached, until a higher threshold is reached. 



4 This would have been obvious because the ordinary person skilled in the art would have 

5 recognized that multiple attacks can occur at the same time and would not want to ignore attacks 

6 after the first initial attack. 



7 Claims 7, and 12 are rejected under 35 U.S.C. 103(a) as being unpatentable over the 

8 combination of Vaidya and Sharma as applied to claims 5, and 10 above respectively, and further 

9 in view of Martin et al. (US Patent Number 6,772,349) hereinafter referred to as Martin. 

10 Vaidya and Sharma disclosed altering the signature set in order to reduce the frequency 

1 1 of alert generation by halting the alert generation (See the rejection of claim 5 above) and that 

12 the generation rate was determined using a sliding time window (See Vaidya Col. 12 Paragraph 

13 2), but failed to disclose altering the threshold interval in order to do so. 

14 Martin teaches that in a network intrusion detection system, the time interval used to 

15 collect signature data is indirectly proportional to the number of false alarms detected (See 

16 Martin Col. 5 Lines 30-38). 

17 It would have been obvious to the ordinary person skilled in the art at the time of 

18 invention to employ the teachings of Martin in the alert suppressing system of Vaidya and 

19 Sharma, by decreasing the time interval once the threshold was broken. This would have been 

20 obvious because the ordinary person skilled in the art would have been motivated to ensure that 

21 legitimate alerts were detected while false alarms were reduced. 
22 
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1 Conclusion 

2 Claims 5-7, 10-12, and 19-30 have been rejected. 

3 Any inquiry concerning this communication or earlier communications from the 

4 examiner should be directed to Matthew T. Henning whose telephone number is (571) 272-3790. 

5 The examiner can normally be reached on M-F 8-4. 

6 If attempts to reach the examiner by telephone are unsuccessful, the examiner's 

7 supervisor, Ayaz Sheikh can be reached on (571) 272-3795. The fax phone number for the 

8 organization where this application or proceeding is assigned is 571-273-8300, 

9 Information regarding the status of an application may be obtained from the Patent 

10 Application Information Retrieval (PAIR) system. Status information for published applications 

1 1 may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 

12 applications is available through Private PAIR only. For more information about the PAIR 

13 system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 

14 system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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